The European Commission’s proposed Digital Omnibus Package marks one of the most significant reconfigurations of EU digital regulation since GDPR entered into force in 2018. By simultaneously revising the General Data Protection Regulation, the ePrivacy Directive, and the EU AI Act, Brussels is signalling a deliberate pivot: competitiveness and regulatory simplification are now co-equal objectives alongside data protection and AI safety. For corporate decision-makers, the window between proposal and enforcement is not a pause — it is a preparation mandate.

What the Digital Omnibus Package Actually Changes

The package introduces several material amendments that will reshape enterprise risk management frameworks across the EU. Key provisions include:

  • Narrowed personal data definitions under GDPR, reducing the scope of what triggers full compliance obligations — a direct response to the Draghi Report’s finding that GDPR compliance has increased average business costs by approximately 20%.
  • Relaxed rules on automated decision-making, easing restrictions under Article 22 GDPR that have constrained AI-driven processes in credit scoring, HR screening, and customer profiling.
  • Reduced cookie consent requirements, eliminating friction-heavy banner obligations that have long been criticised as compliance theatre with negligible privacy benefit.
  • AI Act enforcement extended to December 2027 for high-risk system obligations, with national authority classification replaced by self-assessment mechanisms — a structural shift that transfers accountability directly onto deploying organisations.
  • Eased AI training data rules, facilitating broader use of personal data in model development under defined conditions, aligning EU policy more closely with innovation-oriented frameworks in the United States and United Kingdom.

New EU Guidelines on General-Purpose AI (GPAI) model obligations and a voluntary Code of Practice have also been released, clarifying transparency, copyright, and systemic safety requirements — providing compliance officers with a more actionable roadmap than the Act’s original text afforded.

The Self-Assessment Shift: A Governance Risk in Disguise

The move from national authority classification to self-assessment for high-risk AI systems is perhaps the most consequential structural change for corporate governance. While it reduces regulatory friction in the short term, it simultaneously elevates internal accountability. Organisations deploying AI in domains such as employment screening, creditworthiness assessment, or critical infrastructure must now build and maintain robust internal classification frameworks — without the safety net of external validation.

Compliance officers are strongly advised to align AI Act preparation with Quality Management System (QMS) standards, specifically prEN 18286, which addresses high-risk AI system requirements across sectors including financial services and HR. This standard provides the technical architecture needed to substantiate self-assessment decisions under regulatory scrutiny.

The parallel with GDPR’s 2018 implementation is instructive and cautionary. Organisations that treated the two-year transition period as a grace period rather than a preparation window faced disproportionate remediation costs and reputational exposure at enforcement. With AI Act deadlines now set for 2026–2027, the same risk profile applies — compounded by the complexity of AI system documentation, bias controls, and human oversight requirements.

Implications for Business: Compliance as Competitive Positioning

For mid-market companies specifically, the Digital Omnibus Package removes several technical documentation burdens that were disproportionately costly relative to enterprise-scale organisations. This creates a genuine opportunity to recalibrate data privacy and AI governance investments toward strategic capability-building rather than pure defensive compliance.

Decision-makers should consider the following immediate priorities:

  • Integrate AI Act preparation into existing GDPR governance structures. Data governance frameworks, bias controls, and human oversight mechanisms are common to both regimes. Siloed programmes are inefficient and create audit gaps.
  • Conduct an AI system inventory and preliminary risk classification before self-assessment obligations become enforceable. Retroactive classification is significantly more costly and legally exposed.
  • Engage General Counsel and Chief Compliance Officers now on the revised automated decision-making rules, particularly in financial services and employment contexts where Article 22 GDPR has historically constrained AI deployment.
  • Monitor GPAI Code of Practice developments if your organisation develops or fine-tunes foundation models — voluntary today, potentially mandatory by reference in future enforcement guidance.
  • Reassess AML and ESG reporting data flows in light of narrowed personal data definitions, as these may affect how transaction monitoring and supply chain due diligence data is classified and retained.

Key Takeaway

The EU Digital Omnibus Package is not deregulation — it is re-regulation with redistributed accountability. The compliance burden is not being eliminated; it is being internalised. Organisations that build robust self-assessment capabilities, align AI governance with GDPR-era data privacy infrastructure, and engage proactively with emerging QMS standards will be positioned to treat regulatory compliance as a source of competitive differentiation rather than a cost centre. The enforcement clock is running. The preparation window is now.